@jumboclicks – We are not releasing any details on this security concern until we are very comfortable our user base has updated to minimize its potential.
– Cais.
PS: One topic/response would have been enough to ask this question. Thx.
@photocrati – I am curious as well. There are many apps that use imagerotator.swf, and you are the only entity that is saying there is a security issue with it. This is not an upload-type flash applet, and runs locally on people viewing the site, not on the server.
You have many, many people still using the old version of NGG due to all of the issues you had when you released 2.0, so if there is a serious server side security issue with the applet then simply not including it in earlier versions is far from appropriate or responsible.
-Michael
@mvandemar – All I am at liberty to say is that the vulnerability is not easily used as an attack vector but it is easily reproduced … and we always recommend everyone using NextGEN Gallery (and NextGEN Legacy) to keep up-to-date with at least the latest stable release.
Thanks!
– Cais.
Is the imagerotator.swf in ngg a proprietary one that you wrote, or is it open source?
-Michael
@mvandemar – We provide some additional information in this article: http://www.nextgen-gallery.com/flash-removed/
– Cais.
Unfortunately the file in question is a 3rd party file, which we do not have control over.
Was it open source? You don’t say in the article, and you shipped neither the source nor any kind of license for it with the plugin. NGG is GPL 2.0, which has specific requirements regarding source code, which near as I can tell you didn’t abide by, unless I missed where you guys put the source code. Did you include the source with NGG?
-Michael
@mvandemar – Please feel free to download an older version of NextGEN Gallery from under the Developer tab if you really want to have a look at the code itself. We do not recommend using it (due to the security issue) but you are more than welcome to view the source code there.
Thanks!
– Cais.
@photocrati – I am referring to the source code for imagerotator.swf. I did download an earlier version, and I did not see the source code included. Which directory is it in?
Thanks.
-Michael
@mvandemar – Searching the plugin folder will yield this result:
../wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/nextgen_basic_gallery/static/slideshow/imagerotator.swf
The current version of NextGEN Gallery includes it as an empty file.
Thanks!
– Cais.
@photocrati – Ok, that is a binary file. I am asking where the source code for that file is. Also, same question on these files as well:
PicLensLite.swf
Moxie.swf
persist.swf
-Michael
Michael, are you suggesting that NGG is violating the GPL?
@photocrati – you didn’t reply, is the source code available for those binaries?
@photocrati – you still haven’t answered the question. Where is the source code for those swf files that you are packaging with NGG?
Also, at what point to plan to release info about the vulnerability?
@donna – it kind of looks that way, but I could be missing something.
Thanks.
-Michael